Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04/09/2024, 23:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6be493e835b83fa3fe2e7f48b6f25240N.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
6be493e835b83fa3fe2e7f48b6f25240N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
6be493e835b83fa3fe2e7f48b6f25240N.exe
-
Size
76KB
-
MD5
6be493e835b83fa3fe2e7f48b6f25240
-
SHA1
ab3a27144f20de62e1d384cdd3c7011e4d4a200f
-
SHA256
f10b8dc92701fd7b508a48e41ba420299ebfc1bf9d93d5e931c8ae094787d715
-
SHA512
7cf022915904af0ee475f3989f15a5d0b92e908b64f01fad3d467e93288c71c93ba50a3f28094800e441cd91df7f0614f446e92c15e851d27b83b20ac746c881
-
SSDEEP
768:ie8bNRqsuhlGOBnhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+XkE:mnqJu3abBGy3G8V0iuoct
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vcww.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vcww.exe -
Executes dropped EXE 1 IoCs
pid Process 2512 vcww.exe -
Loads dropped DLL 2 IoCs
pid Process 1364 6be493e835b83fa3fe2e7f48b6f25240N.exe 1364 6be493e835b83fa3fe2e7f48b6f25240N.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt vcww.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" vcww.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: vcww.exe File opened (read-only) \??\N: vcww.exe File opened (read-only) \??\Q: vcww.exe File opened (read-only) \??\Y: vcww.exe File opened (read-only) \??\Z: vcww.exe File opened (read-only) \??\E: vcww.exe File opened (read-only) \??\I: vcww.exe File opened (read-only) \??\W: vcww.exe File opened (read-only) \??\G: vcww.exe File opened (read-only) \??\V: vcww.exe File opened (read-only) \??\P: vcww.exe File opened (read-only) \??\U: vcww.exe File opened (read-only) \??\L: vcww.exe File opened (read-only) \??\O: vcww.exe File opened (read-only) \??\J: vcww.exe File opened (read-only) \??\K: vcww.exe File opened (read-only) \??\R: vcww.exe File opened (read-only) \??\S: vcww.exe File opened (read-only) \??\T: vcww.exe File opened (read-only) \??\X: vcww.exe File opened (read-only) \??\B: vcww.exe File opened (read-only) \??\H: vcww.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\maxtrox.txt 6be493e835b83fa3fe2e7f48b6f25240N.exe File created \??\c:\windows\SysWOW64\Windows 3D.scr 6be493e835b83fa3fe2e7f48b6f25240N.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt vcww.exe File opened for modification \??\c:\windows\SysWOW64\Windows 3D.scr vcww.exe File created \??\c:\windows\SysWOW64\Desktop.sysm vcww.exe File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm vcww.exe -
Drops file in Program Files directory 34 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe vcww.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe vcww.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Defender\MpCmdRun.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Media Player\WMPDMC.exe vcww.exe File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Sidebar\sidebar.exe vcww.exe File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe vcww.exe File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe vcww.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Mail\wab.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe vcww.exe File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe vcww.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe vcww.exe File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe vcww.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe vcww.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe vcww.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe vcww.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Journal\PDIALOG.exe vcww.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe vcww.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpenc.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe vcww.exe File opened for modification \??\c:\Program Files\7-Zip\7zG.exe vcww.exe File opened for modification \??\c:\Program Files\Windows Defender\MSASCui.exe vcww.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe vcww.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6be493e835b83fa3fe2e7f48b6f25240N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcww.exe -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile vcww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" vcww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" vcww.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt vcww.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" vcww.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm vcww.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon vcww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd vcww.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon vcww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt vcww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" vcww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" vcww.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command vcww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command vcww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt vcww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" vcww.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1364 6be493e835b83fa3fe2e7f48b6f25240N.exe 2512 vcww.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2512 1364 6be493e835b83fa3fe2e7f48b6f25240N.exe 30 PID 1364 wrote to memory of 2512 1364 6be493e835b83fa3fe2e7f48b6f25240N.exe 30 PID 1364 wrote to memory of 2512 1364 6be493e835b83fa3fe2e7f48b6f25240N.exe 30 PID 1364 wrote to memory of 2512 1364 6be493e835b83fa3fe2e7f48b6f25240N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6be493e835b83fa3fe2e7f48b6f25240N.exe"C:\Users\Admin\AppData\Local\Temp\6be493e835b83fa3fe2e7f48b6f25240N.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcww.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\vcww.exe" 6be493e835b83fa3fe2e7f48b6f25240N2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2512
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD559b268f80824c51d6501091560356c54
SHA1765138e38978fbfb64c5e591fa10bf9a06a3d94e
SHA256192f728af2a9aa5984d084fbe1f49d315d13e378694a4b01bd8aed3035fee153
SHA512b9ebc0fbde9e515a3ea3dfd43c7ca59e3ff7cbe2c70cf6323fe94cbc82d8ae9b0754d9ac56064d0bbd9a084d6cada3e7874362e99461ac97992bb209ffa494ca